GRC Auto-Provisioning Behavior

Similar Messages

• Auto-provisioning new users with GRC 10.1

  There is some lack of clarity at my client on auto-provisioning new users into SAP systems with GRC 10.  Here's what they want and I'm telling them they need SAP IdM.
  The client will regularly have upwards of 500 new users on an on-going basis.  These users are approved and created in Active Directory.  The client believes that GRC 10 can now pick up these new users from Active Directory and then go ahead and provision them into ECC and CRM automatically, as soon as they're created, with no further approval required.
  To the best of my knowledge, the easiest way to do this would be for IdM to do this, and have IdM trigger GRC for certain users, and to provision users who fall into this group of 500 users.
  These users are different from regular users, who need to go through the approval workflows.  Regular users will have managers and roles that need approval.  These 500 or so users are approved to be created in the system and don't need to get caught up in the approval workflow.
  Am I wrong in saying that IdM 7.2 is the best way to do this, or am I missing something about what GRC 10 can do?
  Thanks for your help.  I really appreciate it.

  Hi Santosh,
  In AC 10.1, I created one brf plus initiator rule.Although I saved it in GRAC_ACCESS_REQUEST package.Transport button is not available(Not greyed).
  Dis you faced this issue..How to get this change in transport??
  PS:Application are activated.
  Thanks,
  Mamoon

• GRC 5.3 - Auto Provisioning completed but Status remains Open

  Hi All,
  Lately GRC 5.3 does not change the status to closed once approval has been submitted. Auto Provisioning completed successfully as roles was assigned to back end ABAP system.
  Please advice how to change the status to CLOSED once auto provisioning completes.
  Thank you
  Jacky.

  Hi,
  I'm not sure if this is the new issue with SP17. Everything is working fine before we upgrade to SP17. Is anyone can help to solve this issue?
  Thank you.
  Regards,
  Merdelyn

• GRC CUP 5.3 Auto provisioning Error

  Hello All,
  This issue is occurring in development system of GRC and works as expected in Quality systems.
  Development system of CUP Jco's connected to the development ABAP stack and
  Quality Systems of Cup Jco's connected to the QA ABAP stack .
  All the parameters and the configuration are the same in Dev and QA.
  Now the problem we have is at the last approval stage in the workflow after the approver approves the request (Create/Change) It is erroring out in Auto Provisioning stage with the below message :
  Error provisioning your request. Request no: 75. Error occurred in the system(s) : n/a, error details :
  DEVL1120-TEST_A-USER CREATE-Password is not long enough (minimum length: 10 characters)
  DEVL2120-TEST_A-USER CREATE-Password is not long enough (minimum length: 10 characters)
  If the same approvers goes back into the request and re-approves the Autoprovisioning is completed and the request is closed. For every last approver the first time he tries to approve the message he gets the above errors in development and does not receive the same error in QA.
  The password parameters in the ABAP stack and the Portal Security config are same in DEV and QA. I am not sure if I am missing any information. Any suggestion/Help is appreciated.
  Angara

  Raghu Thanks for your response. Yes I checked all the login parameters in both QA & DEV and compared to those that were user defined Vs Default they were the same with no difference. yet the problem occured in Development system.
  I finally figured out the issue and the surprising part was the error that was issued during auto provisioning is very misleading.
  Our Security team had prototyped CUA and connected to the same development client CUP was connected and forgot to remove the child system from the CUA after their demo was complete.
  By utilizing Debug log mechanisim, it showed the error as BAPI that is used by CUP to create the user was failing due to CUA locking the client with no ability to create the users in child system directly , The error displayed had no connection to the password lenght.
  Thank you all my issue has been resolved and back in business.
  Best Regards,
  Angara Rao

• GRC 5.3 CUP auto provisioning of Mitigation Assignment in RAR

  Hello,
  Is there any other workflow that needs to be triggered for the auto provisioning of the Mitigation control id assignment to the userid in RAR system from CUP,  upon request completion?
  I created a request that after the final stage of sox approver, got auto provisioned roles assigned to the user id in the SAP system , but it also stated that auto provisioning failed and got re-routed to the detour path of the security admin as I configured in case of auto provisioning failure. When I look at the error log, it states:
  User Provisioning failed for System(s) : XYZ. Error Message : User type TE is unknown
     Role: ROLEA assigned to user: TESTER1 in System(s): XYZ.
  1). So, even though the approved role is being assigned to the user in the backend system, some other stuff is failing at auto provisioning. And I thought it might be the mitigation control assignment to the userid in RAR. I have the mitigation fields/objects active. But how do I ensure the auto-assignment of mitigation control ids also gets assigned on the same request upon sox approval?
  2). The other question is where is the value of the 'controller' stored when configuring a stage for workflow approver determinator in the sox approver stage? Where is this value picked up from? We don't want to use the RAR mitigation approvers or monitors, we want to use a custom approver id from CUP and then the control id to be assigned upon approval automatically to the userid in RAR via CUP request completion during auto provisioning. Is this possible? The only thing failing for us is trying to determine how to create the custom approver determinator for SOX approver in CUP since it asks for 'attribute' value for workflow type 'Compliant User Provisioning' which doesn't make sense for this.
  And then the above error even though the user role assignment is auto provisioning already but still giving the error as I listed above and re-routing to detour path instead of completing the request. Is it due to auto provisioning failure of mitigation control assignment in RAR?
  Thanks in advance,
  Alley
  Edited by: Alley1 on Sep 20, 2011 1:15 AM

  Hi Karell,
     Here is response to your questions:
  I can use the following CAD in an AE workflow: web service to fetch role approvers. I question this as it is merely a RE workflow service : No. As far as I know the web service is only for RE/ERM.
  Can the Risk Analysis be initiated in stage x automatically once stage (x-1) was completed. So no person involved, it is mandatory however, in my opinion there should be no extra person involved to actually press the button "Risk Analysis" : No. There is no way to automate the risk analysis part. Someone will have to click on the button to check for SoD violations. You can configure to run automatic risk analysis when the request is submitted but this is not 100% perfect. If someone adds or removes role during approval phase, it will invalidate the risk analysis which was run during request submission.
  Can somehow the Risk Owners defined in the RAR componed be asked to approve/reject risk that came out of the Risk Analysis described in my previous point. They should only be contacted when there is a risk indicated. : This is possible by following Babak's workflow.
  Regards,
  Alpesh

• Integrate GRC 10.1 with CUA and how to import roles from CUA & Child systems into GRC for provisioning

  Hello,
  I am trying to integrate CUA into our GRC 10.1 system through the below steps and so far I have completed the below steps following SAP Notes 1680108 and 1616121:
  1. Connected CUABOX to GRCBOX like a plug-in system.
  2. Updated CUA Global System and CUA Model Distribution in Maintain CUA settings under User Provisioning.
  3. Next I am trying to import the roles from CUA(CUABOX) into GRC(GRCBOX) to be able to provision roles in CUA Child Systems(ECCBOX).
  After reading few discussions in SCN, I have figured that we have to download a template in Role Import and populate it accordingly to upload the CUA child system roles into GRC system for provisioning in CUA Child Systems.
  Unfortunately, this template has multiple fields and I am unable to determine the fields that should be populated as CUA Global System and CUA Child System to import into GRC. Also, when we upload CUA Child System Roles template what selections should be made in Role Import window.
  Any help in this regard is very helpful.
  Thank you,
  Pawan

  Hi Alessandro,
  I have "Create user if does not exist" setting checked for both change action and assign role action and also have CUA enabled. Here is the list of steps that I am performing:
  1. Create an access request for new account, T-CUA_CHILD and select a role from a child system ECC Z_ECC_ROLE_IN_CHILD_SYSTEM.
  2. Approvals provided to assign the ECC role.
  3. I see the following in GRFNMW_DBGMONITOR_WD.
             Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage              GRAC_SECURITY
                 New User:T-CUA_CHILD created in System(s): ECC (created without role assignments)
                 T-CUA_CHILD User does not exist in target system CUA
  GRC created an account without role assignment in ECC but also throwed me an error that the user does not exist in CUA.
  However, if I select roles from both CUA and ECC it creates the account in both systems with the selected role assignments.
  So I am wondering if there is way to provide CUA access to users by default for new account requests types. I have tried setting up default roles for CUA but it does not assign the roles by default until I select the CUA system.
  Thank you for your help!
  Pawan

• OIM - OID (11g) auto-provision thru ldap sync

  Hi,
  I have configured ldap sync. I have following questions
  1. We have created custom attributes in OID and referred to custom object class. Now when I try to create user in OIM, user is auto-provisioned to OID. But the custom attributes in OIM are not getting provisioned to OID (unable to see the custom attributes in user object of OID, unless we refer manually the custom object class). Can any one let me know how to auto-provision the custom attribtues into OID?
  2. When user is auto-provisioned to OID, it is not showing any resource profile details of OID in OIM? Is it the expected behavior? But create, udpate, delete are happening as expected.
  Please let me know if any one know the solution.

  Hi,
  Where you able to achieve this?? i have similar requirment where, i have added 5 custom attributes in both OIM and OID, when i create the users these attributes doesnot get updated on OID....should i add these UDF in any objectclass which OIM understands??please suggest
  Thanks in advance

• CUP - Initiator for roles not requiring approval (i.e. auto provisioned)

  We recently upgraded to GRC 5.3, SP10 and started noticing that using CUP, for roles that should be automatically provisioned (i.e. no approval required), it is taking between 3 minutes 45 seconds to 5 minutes for the request to be successfully submitted and automatically approved with provisioning.   I was wondering if anyone is experiencing simlar system performance
  Our set-up for auto provisioned role requests is as follows:
  1.  Created initiator INI_NO_APPROVE using role for attribute
  2.  Created stage STG_NO_STAGE  with Approver Determinator = No Stage
  3.  Created path definition PATH_NO_APPROVE with number of stages =2 and initiator = INI_NO_APPROVE
  Thanks!

  F.Y.I.
  As per SAP's recommendation - we applied note:1423983 in all target provisioningn systems and this resolved the issue.

• Limitations of Auto-Provisioning through CUP (AE)

  Hi all,
  I am looking for some information on what are all the benefits and limitations of using auto-provisioning over manual provisioning for the backend systems through CUP (AE).
  We are implementing GRC AC 5.3 and it is organization's business decision whether we need the proviosing piece to be automated or not. However, I would like to get your suggestions based on your project experiences esp in a decentralized security administration where security admins are in different geographical locations and have to provision only for their user groups.
  Can we perform all the activities thro' auto-provision similar to a security administrator manually creating a user, assign appropriate user groups etc.,  or is there any limitation?
  Which approach would be better for decentralized administration?
  Appreciate your suggestions..
  Thanks
  Siri

  Hi Alpesh & Williams,
  The user default settings such as date, timezone, decimal etc can be configured through the 'user defaults' and 'user default mapping' . I see the option of assigning user  groups and appropriate parameters too.
  Say the user belong to user group AAA_XXX  and another user belongs to AAA_YYY, where
  AAA - location
  XXX - Dept
  I have configured these (location, dept) as required fields while entering the request in CUP .
  However, during run time how will the correct user group be assigned to the user. Is it through the user default mapping? Where do we maintain all the user group information that is available in the ECC system? Do we have to create user default, user default mapping for each user group??
  The documentation from SAP is not very clear .. Appreciate if you can provide some lights on this area.
  Thanks
  Siri

• Handling Auto-provisioning failure Manually?

  Hi all,
  WE are going with auto-provisioning for ECC and EP systems.
  I am looking for some suggestions,incase auto-provisioning failed due to some reason.
  I tweaked the connector settings in Portal that will throw some error. Then I configured the escape route for 'Auto Provisioning Failure'. The request goes thro' the escape route to the GRC Admin to fix the auto-provisioning issue. But this is delaying our access provisioning process. I am looking for ways to approve and close the request in case of errors.
  Is there a way to let the user provision manually and document the reasons in the comments and close the request?
  I should just approve and close the request without triggering auto-provision incase of errors.
  Can this be done?
  Thanks in advance..
  Kee

  Hi Siri,
  There are two modes in CUP for provisioning manual and auto however it is not possible for  approvers to switch between these two. This configuration is applicable only all the requests.
  If you have auto provisioning off then in all the request approvers will get "Create User or Assign Role" buttons by which they have to do the manual provisioning.
  The error in auto provisioning is not a usual thing which happen in production environment  and when this happen this should be corrected immediately. If this take some time you can create system level  auto provisioning setting where you can disable the auto provisioning for one system which is causing issue in your environment and provisioning in other system will be working automatically.
  Thanks

• Safari 5.1 strange auto-reloading behavior for tabs in the background

  hi guys.
  I have been encountering this strange behavior recently. I had thought it could be something wrong with my system, until yesterday i upgraded my Safari for Windows to the v.5.1 on a Windows XP laptop, and found the same issue. Now i guess I can be quite certain this is a safari issue.
  System info:
  1. Macbook Pro 17", OSX 10.6.8, 64bit boot (i have 8GB RAM).
  2. Safari (Mac) is the lastest version (as updated by the Auto update), run in the default 64bit mode.
  3. The windows machine is an old Thinkpad T60 with Windows XP Pro SP3. The Safari for windows is Safari 5.1 (7534.50), also updated by auto update.
  4. I have not installed any Safari extensions/plugs that feature an auto-reloading -- as such behavior was never seen before i upgrade to Safari 5.1
  Since i mostly work on mac the mac has been kept most updated. But the windows machine which i use now and then, i don't update everything very frequently. And the earlier Safari 5.0 worked fine without the current issue.
  Symptoms
  1. Let's say I have 1 Safari window open with 5 tabs, and I have been working on the 4th tab for a while, and left the other 4 tabs "idling" in the background.
  2. And then i want to switch to another tab: click on that tab, and that tab will come to the foreground while being automatically refreshed.
  3. It looks to me this behavior happens after the inactive tabs have been idling longer than a certain period of time - then if you switch to them, they will be switched to and in the same time auto-reloaded. But I still don't know how long it needs for the "idling" before an auto-reloading "threshold" is triggered.
  4. In the beginning this was just on the Mac Safari (and i hadn't updated safari on the windows). But after I updated safari for WIN yesterday, i found the same behavior today.
  5. I checked all the Preferences settings and didnt find any option that indicates this behaviors.
  Guys. any ideas? anyone have the same trouble? Thanks a lot guys. This is really annoying.

  Carolyn Samit wrote:
  I'm running Safari 5.1 / SL v10.6.8 on one Mac with Glims installed and I never have a problem with tabs auto reloading. You might want to give it a try.
  It's free!
  http://www.machangout.com/
  Once the software is installed you can access the settings from Safari / Preferences - Glims.
  If you don't like the software you can use their uninstaller here.
  Hi Carolyn thanks a lot for the idea.
  The weird thing is... after i tried to uninstall and re-install a few apps the "auto-loading" behavior disappeared ... guess something was interfereing with safari 5.1...
  But thanks for recommending Glims. I took a quick look at the website and it looks great. will do some more research before i start using it. Thanks for the recomm!

• CUP Provisions user to SAP successfully but gives "Auto-Provisioning" error

  Hi All,
  I'm getting an "auto-provisioning" error in CUP when a "Change Account" workflow is approved. The strange thing is, CUP does successfully provision the change to the SAP backend. Yet, the "New Account" provisions successfully without the error.
  Here is an example of the audit trail log from Change Account:
  Request submitted for approval by Dylan Hack(HACKDY) on 06/28/2010 17:14 
  Approved By Dylan Hack(HACKDY) Path AE_AUTO_APPROV_ERROR and Stage AE_AUTOPROV_ERR on 06/28/2010 17:14 
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
  Auto provisioned for request on 06/28/2010 17:14 
     User Provisioning failed for System(s) : DEV. Error Message :
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
  Request submitted for reroute by system on 06/28/2010 17:14 due to auto provisioning failure 
     Rerouted in the Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR to Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR
  Note: the role names were replaced with "xxxxxxx."
  The system log gives an error, but it is very vague:
  2010-06-28 17:14:34,682 [SAPEngine_Application_Thread[impl:3]_33] ERROR com.virsa.ae.service.ServiceException
  com.virsa.ae.service.ServiceException
       at com.virsa.ae.service.sap.SAPProvisionDAO.intializeWithChangeUserInputParameters(SAPProvisionDAO.java:762)
       at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3457)
       at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3419)
  Any ideas or suggestions?
  Current software level AC5.3 SP12.
  -Dylan

  Hello Varun,
  Thanks for the thought on this. We don't use User Defaults for Change Account, but do for New Account. You question prompted me to do more testing with very interesting results.
  Results
  New Account with User Defaults configured:
  User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
  New Account without User Defaults configured:
  User provisioned successfully, no Auto-Provision error.
  Change Account with User Defaults configured:
  User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
  Change Account without User Defaults configured:
  User provisioned successfully, Auto-Provision ERROR, Defaults NOT provisioned.
  In both New and Change Account, the configured User Defaults are NOT provisioned even though the user is provisioned. AC5.3 is on SP12, the RTA is VIRSANH SP12 and VIRSAHR SP10.
  For the Change Account, the user is always provisioned regardless of User Defaults; however, when no User Default is configured, the Auto-Provisioning error occurs. The User Defaults NOT provisioning is a real problem, the CUP error message, I can work around for now.
  What about on your side? Am I the only guy using SP12 here?

• Auto provisioning for AD is not working in oim11gr2

  Hi All,
  I have current environment as OIM 11.1.2.0.7 and AD connector MSFT_AD_Base_11.1.1.5.0 with patch applied 14190610 and Connector_Server_111200
  I configured an auto provisioning to AD
  I created an access policy based on a role MSAD Users.
  i am expecting when i assign this role user should provisioned to AD automatically but it is not done. I also ran the Evaluate User policies scheduler which in enable state.
  i provisioned user manualy and its working fine. also i checked access policy with another target application R12 application it is also working fine.
  but i dont y it not working for AD . I filled all required fields in process form lyk organisation and AD Server.
  I ran in to same issue in DEV at that time i applied BP07 to oim and 14190610 patch to AD connector, after that it was worked
  Now my UAT is in same environment still it is not working
  Please suggest me some solution
  Regards
  $sid

  Hi All,
  I have current environment as OIM 11.1.2.0.7 and AD connector MSFT_AD_Base_11.1.1.5.0 with patch applied 14190610 and Connector_Server_111200
  I configured an auto provisioning to AD
  I created an access policy based on a role MSAD Users.
  i am expecting when i assign this role user should provisioned to AD automatically but it is not done. I also ran the Evaluate User policies scheduler which in enable state.
  i provisioned user manualy and its working fine. also i checked access policy with another target application R12 application it is also working fine.
  but i dont y it not working for AD . I filled all required fields in process form lyk organisation and AD Server.
  I ran in to same issue in DEV at that time i applied BP07 to oim and 14190610 patch to AD connector, after that it was worked
  Now my UAT is in same environment still it is not working
  Please suggest me some solution
  Regards
  $sid

• How do you turn off the auto select behavior when working with shape layers?

  How do you turn off the auto select behavior when working with shape layers?
  I am using either of the path selection tools to select only some of the paths on the layer. I have the proper layer targeted. I have the selection too auto select option turned off.
  If another layer has a path in that area, that layer becomes auto targeted and I get the wrong path. Turning off the layer is the only way to avoid this but then I have to  turn on the layer back on between making my selection and transforming to use the other layer as guide. Is there any way to stop this auto select? Locking the other layer does not stop the auto select, just prevents editing.

  As far as i know the move tool options don't have any effect on the path selection tools.
  You might try clicking on one of the path points or on the path itself with one of path selection tools and if you want to select multiple points
  you can shift click with the Direct Selection Tool or Alt click to select the entire path.
  more path shortcuts:
  http://help.adobe.com/en_US/photoshop/cs/using/WSDA7A5830-33A2-4fde-AD86-AD9873DF9FB7a.htm l
  http://help.adobe.com/en_US/photoshop/cs/using/WSfd1234e1c4b69f30ea53e41001031ab64-7391a.h tml

• EBusiness Suite User "Auto-provisioning" and  "Self-Request" Problem

  I have two types of OIM User, Staff and Contingent
  Staff (Role = Full-Time)
  Contingent (Role = Contractor / Role = Consultant)
  Resource Object: eBusiness Suite User
  Here's my RO configuration:
  Auto Pre-populate: true
  Allow Multiple: true
  Self Request Allowed: true
  Allow All: true
  Auto-Launch: true
  EBS Connector, by default has two forms:
  UD_EBS_UO: Object Form
  UD_EBS_USER: Process Form
  I have requirement which will auto-provision eBusiness Suite User resource to Staff users.
  Originally, UD_EBS_OU is the table name used by the RO. For auto-provisioning to work, I have implemented it this way:
  First, I have defined a User Group for Staff and assign an Access Policy to it (for users with Role == Full-Time).
  Then, I have detached Object Form UD_EBS_UO from the RO. This way, when Staff user is created in OIM, it is automatically provisioned with eBusiness Suite User, though it won't have a Resource Form, only a Process Form. Process Form fields are automatically pre-populated with values (via my Pre-populate adapters).
  Now my problem is during Self-Request. Contingent user doesn't get auto-provisioned with EBS RO, but he can self-request for it. Problem is, since I detached the Object Form from the RO, user is not seeing any form during request. And I have a requirement that approver of the request should also be able to view/modify the details of the request form. But that is not possible now that Object Form does not exist for this RO.
  Is it possible that Self-Request and Auto-Provisioning works both ways under the same Resource Object? How do I configure that? Appreciate your quick response and help. :)
  Edited by: user10202544 on Feb 10, 2010 3:27 AM

  Yes I have set permissions to all users for the Object Form.
  It is required for me to have both Self Request and Auto-provisioning work for eBusiness Suite RO.
  During approval, however, the approver needs to see the Object Form (where he can view/modify its values before approving it). That's impossible for me since I detached the Object Form from the Resource Object. I need do to this for auto-provisioning to work.
  It seems that it doesn't work both ways. Any other suggestions?